Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
0
Replies

Amending crypto map drops VPN

Darren Durbin
Level 1
Level 1

‎05-15-2019 03:17 PM - edited ‎05-15-2019 03:20 PM

Hi,

We have a pair of ASA 5508-X, configured to failover, providing VPN services.

We have a number of site-to-site IPSEC VPNs terminating on the ASA, using a mixture of 800 series routers, and ISR4331's. Each VPN carries a number of subnets

This all works well, but we have a problem when we try to edit the crypto maps on the 4331s in order to, for example, pass a new subnet via the VPN.

So, if on one of the 4331s I execute ( to take on example - any combination of networks appears to give the same result )

access-list 150 permit ip 172.1.1.0 0.0.0.255 10.3.0.0 0.0.255.255

Then the VPN will then drop ( the ASA reports a client-requested disconnect ) 2-3 packets, and then reconnect.

Should then try to *remove* that ACL entry the VPN drops, doesn't reconnect and we need to power-cycle the router. We don't have this issue on the 800 series routers - just the ISR4000 series ones.

So, two questions: Is a brief drop of the VPN expected when adding a new entry to the crypto map ACL? I've never noticed it happen before. And secondly, why would the VPN drop, and not reconnect, when we simply remove the newly added ACL entry?

Any ideas gratefully appreciated!

Thanks.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents